From 4ea4813753c895118b7377495647b48f240ff4d8 Mon Sep 17 00:00:00 2001
From: Raito Bezarius <raito@lix.systems>
Date: Thu, 27 Mar 2025 12:22:26 +0100
Subject: [PATCH] libstore: ensure that temporary directory is always 0o000
 before deletion

In the case the deletion fails, we should ensure that the temporary
directory cannot be used for nefarious purposes.

Change-Id: I498a2dd0999a74195d13642f44a5de1e69d46120
Signed-off-by: Raito Bezarius <raito@lix.systems>
---
 src/libstore/unix/build/derivation-builder.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/libstore/unix/build/derivation-builder.cc b/src/libstore/unix/build/derivation-builder.cc
index 22445d547..c61fe7001 100644
--- a/src/libstore/unix/build/derivation-builder.cc
+++ b/src/libstore/unix/build/derivation-builder.cc
@@ -2093,6 +2093,15 @@ void DerivationBuilderImpl::checkOutputs(const std::map<std::string, ValidPathIn
 void DerivationBuilderImpl::deleteTmpDir(bool force)
 {
     if (topTmpDir != "") {
+        /* As an extra caution, even in the event of `deletePath` failing to
+         * cleaning up behind. The `tmpDir` will be chown as if we were to move
+         * it inside the Nix store.
+         *
+         * This hardens against an attack which smuggles a file descriptor
+         * to make use of the temporary directory.
+         */
+        chmod(topTmpDir.c_str(), 0000);
+
         /* Don't keep temporary directories for builtins because they
            might have privileged stuff (like a copy of netrc). */
         if (settings.keepFailed && !force && !drv.isBuiltin()) {